php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77505 streams/HTTPS cannot be used with WinSSL/schannel
Submitted: 2019-01-23 01:35 UTC Modified: 2019-01-25 11:32 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: vjardin at free dot fr Assigned:
Status: Open Package: Streams related
PHP Version: 7.3.1 OS: Windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-01-23 01:35 UTC] vjardin at free dot fr
Description:
------------
Assuming WinSSL is used, so openssl is disabled,
  $data = file_get_contents('https://www.google.fr/');

leads to
PHP Warning:  file_get_contents(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in ssl.php on line 2

If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:

$ php -d extension=openssl ssl.php
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure in ssl.php on line 7


------------------

$ php -v
PHP 7.2.14RC1 (cli) (built: Jan  6 2019 01:20:28) ( NTS MSVC15 (Visual C++ 2017) x64 )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

$ php -i | findstr configu
Configure Command => cscript /nologo configure.js "--enable-snapshot-build" "--enable-crt-debug" "--disable-zts" "--enable-pdo" "--with-pdo-oci=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8=C:\php-sdk\oracle\x64\instantclient_10_2\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\x64\instantclient_11_2\sdk,shared" "--with-oci8-12c=C:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--enable-com-dotnet=shared" "--with-ereg=shared" "--with-odbcver=0x0380" "--with-php-build=../win64build.vc15"

$ php -i | findstr /I SSL
SSL => Yes
SSL Version => WinSSL
core SSL => supported
extended SSL => not supported
OpenSSL support => disabled (install ext/openssl)




Test script:
---------------
ssl.php:

<?php

$data = file_get_contents('https://www.google.fr/');

var_dump($data);


Expected result:
----------------
Open a stream SSL/HTTPS connecion without OpenSSL but using WinSSL. libssh2 does support libssh2/WinSSL. It can become the abstraction layer.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-25 11:32 UTC] ab@php.net
Thanks for the report.

> Assuming WinSSL is used, so openssl is disabled,
There is no support for WinSSL in streams, so it can't be used. To use encrypted streams, OpenSSL is required.

> If we enable openssl, but the certificates are into the Windows' store, then of course, it cannot work:
OpenSSL interacts with the Windows certificate store. The certificate store receives centralized updates. If something is not there - most likely the store has not been updated yet. That's also often a reason for issues with self signed certificates.

Having support for WinSSL might be a feature, yes. However, not all the dependencies support it. Also, for the core we'd have to maintain two layers of security, which doubles efforts and bug sources. Just depending on OpenSSL seems OK.

Thanks.
 [2019-07-05 22:03 UTC] vjardin at free dot fr
For the maintenance, it depends of the point of view. Having a native Windows SSL support instead of openssl decreases the SSL surface to a unique WinSSL / schannel that becomes the common SSL layer for all Windows applications. When PHP uses openssl, it means that we have to keep 2 SSL stacks on Windows (WinSSL + openssl).
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 19:01:51 2019 UTC